I was really unsure where to ask this question. If someone knowledgeable thinks I am just freaking out, please feel free to tell me why and close the question. However, the claims I am making here are not unreal.

I have signed up for about 20 Stack Exchange newsletters (like SO, Ask Ubuntu, Physics etc.) and I have observed that the Spam mail I get has increased drastically thereafter. I use Gmail. This is a clean observation and I haven't signed up for any other thing, nor I had any of my mail settings changed, but the Spam count has increased about 10 times. I get one spam mail per an hour which is quite high compared to what it used to be before a couple of weeks.

My question is whether Stack Exchange gives our mail addresses to some third party sites?

Can the mail IDs be retrieved by someone else if they want to (by some means)?

Are our Mail IDs stored in the database dumps?

Is some other Stack Exchange site doing this, if not for Stack Overflow...?

Are there some rules regarding this that have been mentioned in Stack Exchange agreements when we sign up?

Has anyone experienced this sort of thing after they signed up for newsletters?

I might be offending Stack Exchange by making false claims/ completely stupid in my questions (without referring to something that has been told), but I want to know what I asked. Please answer me. Thanks!

Spam rates (and how much anyone is hit, and how well spam filters catch them) tends to vary throughout times, so I'd wager this is mere coincidence...
–
ChristopheDJun 26 '12 at 15:09

7

You can test this quite easily: 1) sign up for a new gmail account with a non-obvious id; 2) sign up for a number of stackexchange newsletters with that email address; 3) do nothing else with that email address; 4) see what happens
–
AakashMJun 26 '12 at 15:10

3

@AakashM and sign up with a name+stackexchange style sorter that no brute-force spammer could ever try
–
Ben BrockaJun 26 '12 at 15:20

I doubt it. Note that many of the SE messages may be marked as spam by Gmail (there was a slight issue regarding the bounty messages recently due to some goofup). Mark them as "not spam", after a while they will no longer be sent to spam.
–
ManishearthJun 26 '12 at 16:04

3

Googling for your real (non-public) name finds an account that you recently created (on another site) where you used a username that's very similar to your gmail name. I wouldn't be surprised if that (public) information is harvested. Could this be the reason?
–
balpha♦Jun 26 '12 at 17:07

To clear the air here, I was not using same username for my mail ID and Stack Exchange. Also, none of the spam mails came from Stack Exchange bounty or whatever. @AakashM: I am actually doing what you suggested there... I have created an account and (only) signed for newsletters to see if something weird is going to happen. I will post another question if that were the case.
–
Forbidden OverseerJun 26 '12 at 20:29

@ChristopheD: It doesn't seem to be a coincidence my friend. Don't take my words "couple of weeks" too literally. It's actually more than that. I am not saying that all my spam comes from Stack Exchange related sources etc., but the point of my question was to clarify whether this observation is right or not. If it comes out to be that SE is really tight with our privacy, then I should probably blame some Social Networking site or my brain for "believing in seemingly complex randomness for false accusations". In any case, if my question helps for a better privacy policy, I would be happy.
–
Forbidden OverseerJun 26 '12 at 20:42

"I was not using same username for my mail ID and Stack Exchange" -- I wasn't talking about Stack Exchange, I was talking about a site that has nothing to do with us. I'm not linking to it since that would disclose your real name etc., but google for your name and it'll be in the top hits.
–
balpha♦Jun 27 '12 at 8:40

@balpha: Neither did I... so, actually we both weren't referencing Stack Exchange there... So no worries! ;) EDIT: I was just "clearing the air" there... Directly answering your question: No. My name, mail ID, Stack Exchange ID have nothing in common between them including names and not to mention passwords. XD
–
Forbidden OverseerJun 27 '12 at 9:12

I think you're still not understanding what I'm saying. My point has nothing to do with Stack Exchange. I'm just trying to offer a possible explanation for the recent increase in spam you're getting. Spammers harvest public information, and they try variations of known user names combined with popular email providers. With the account you recently created on that other site, it's very easy to guess your gmail address.
–
balpha♦Jun 27 '12 at 9:22

That Stack Exchange ID part I mentioned above was just an extra piece of information in case someone needed it. The answer to your question is in that answer. No, I think it would be really hard to guess my mail ID based on my name or anything like that. One has to guess 7 more characters which are very random to guess. So, that's not possible. The point you mentioned, with regard to the question - was actually a good one to think about.
–
Forbidden OverseerJun 28 '12 at 1:34

2 Answers
2

My question is whether Stack Exchange gives our mail addresses to some
third party sites?

Nope, we don't share emails with anyone outside the company, and moderators who have to accept an agreement to preserve privacy (amongst other things).

Can the mail IDs be retrieved by someone else if they want to (by some
means)?

There is no sure way to recover email addresses from the data we make public. Now, if your email address is foo.bar@gmail.com and your user name is Foo Bar then somebody can guess it pretty easily. If somebody's already guessed your email address they can check it using our gravatar hash... but they can also check it by just trying to email you and see if it bounces.

Are our Mail IDs stored in the database dumps?

No personally identifiable information is made available as part of our routine data dumps. This includes emails and IP addresses.

Is some other Stack Exchange site doing this, if not for Stack
Overflow...?

The rules are the same for every site we run.

Are there some rules regarding this that have been mentioned in Stack
Exchange agreements when we sign up?

This isn't spelled out in our privacy policy at this time, currently we say we won't share personal information except with employees, contractors, and affiliate organizations (or in the case where we cease to exist*, either via liquidation or acquisition, at which point all bets are off).

I'll poke some folks to see if we can get this spelled out, it's de facto so we should de jure it.

*Poking includes seeing if that has to be true, would be nice if we could guarantee non-selling forever no matter what. Not familiar enough with the law to know if that's possible.

Nope, we don't share emails with anyone outside the company. Irrelevant here, but mods see this stuff. You may want to specify that in your post. And add it to the privacy policy. Unless mods are considered employees, in which case we want our paychecks ;-)
–
ManishearthJun 26 '12 at 17:27

IMO that bit needs to be added to the employees, contractors, and affiliate organizations part of the actual privacy policy as well
–
ManishearthJun 26 '12 at 18:26

@KevinMontrose: Seems like if something could go wrong here, it could be where you said that you share it with contractors/ affiliate organizations. I am just curious... Who are they? Would they do something like this? Making mail IDs available to someone else seems to be very similar to making them public. Could that be the loophole in the privacy policy? Are they the ones who are doing this for some reason?
–
Forbidden OverseerJun 26 '12 at 20:35

@ForbiddenOverseer - affiliate organizations and contractors either don't exist (being effectively placeholders for sister companies, partnerships, etc.), or our overseas employees (until recently we had no legal EU presense, so our remote developers were contractors). Looks like we'll be clarifying the privacy policy (was apparently already planned, I just didn't know about it) to spell out the "we won't sell your information / use it for spam" points that are already true.
–
Kevin Montrose♦Jun 26 '12 at 20:44

@KevinMontrose: So, it looks like you are very positive about Stack Exchange not giving our addresses to anyone else. I have no reason to distrust you. Seems like the claims I made are false claims. However, I hope that this helps you in writing your next privacy policy or something like that. Thanks for a fast reply BTW... ;)
–
Forbidden OverseerJun 26 '12 at 20:48

User names on well-known email sites tend to get more spam, often from people who will blast out emails at an address, regardless of whether it exists or not. Also, using the same username on multiple of those sites causes the same issue (they'll copy/paste the user name from @yahoo to @gmail, for example).

If you wanted to conduct a true, thorough scientific investigation, then you would need the following test cases:

An email address on a public email service where the email address is made publicly available (positive control)

An email address on a public email service where the email address is NEVER used or made public (negative control)

An email address on a public server where the address is not made public but is used on the target systems (experimental)

An email address on a private email server where the email address is made publicly available (positive control)

An email address on a private email server where the email address is NEVER used or made public (negative control)

An email address on a private server where the address is not made public but is used on the target systems (experimental)

User names would need to be sufficiently different to ensure spammers who obtain the user name cannot guess the other user names based on single character differences. The public servers should be the same for all public email addresses, as well as the private server should be the same for all private email addresses. All email addresses should subscribe to the exact same newsletters. These users should not be active on the target servers, nor anywhere else on the Internet (except to make the email address public).

Allow the experiment to continue for several months, monitoring all emails that originated from sources other than the target system.

Now, that's a good experiment. But asking moderators and site maintainers for confirmation/ making a better privacy policy seems to be better option. However, conducting a similar experiment on our own doesn't seem to be such a bad idea, which I have started already. ;)
–
Forbidden OverseerJun 26 '12 at 20:44